KSC Open API
Kaspersky Security Center API description
|
Normally, arrays behave like values as IntValue or StringValue, as they are replaced as a whole. However, sometimes concatenating arrays may be useful, so that an array from the secondary policy is added to the end of the array from the primary policy.
As secondary policy is always modified by the primary policy, array items must have a key to understand which items are the same and which items are different, to prevent endless concatenation. This means that array items must have a special attribute, the "concatenation name" KLPRSS_ValConcatItemName, and the array must have the KLPRSS_ValConcatArray attribute (see the table below).
Attributes responsible for array concatenation in policies:
Attribute | Type | Description | Usage |
---|---|---|---|
KLPRSS_ValConcatArray | paramBool | Policy array concatenation flag. If the value is 'true', then arrays will be concatenated when the parent policy modifies a child one. Array items must have the KLPRSS_ValConcatItemName attribute. | Attribute of the array. |
KLPRSS_ValConcatItemName | paramString | Concatenation name. Items with the same name are considered to be the same. Absence of the attribute is considered to be an empty string. | Attribute of the array item. |
Imagine we have the following:
The array will be concatenated if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the upper-level policy has lock pressed, and the KLPRSS_ValConcatArray attribute of the array is equal to true either in the upper-level policy or in the lower-level policy or in both of them.
Imagine we have the following:
The effective policy will obtain a concatenated array if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the profile has lock pressed, and the KLPRSS_ValConcatArray attribute of the array is equal to true either in the policy profile or in the base policy, or in both of them.
For policies affecting each other over the hierarchy, the behavior is the same.
If an array of the paramArray type has the KLPRSS_Mnd=true and KLPRSS_ValConcatArray=true attributes in the policy profile, and elements of the array both in the policy profile and in the base policy are named by means of the KLPRSS_ValConcatItemName attribute, then at the host side the effective policy (the base policy with applied active profiles) will have the array made up according the following rules:
Let's say we have in the base policy a section with the following contents:
+--- (PARAMS_T) +---KLPRSS_Mnd = (BOOL_T)true +---KLPRSS_Val (ARRAY_T) | +---0 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe" | +---1 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe" | +---2 (PARAMS_T) | +---KLPRSS_Mnd = (BOOL_T)true | +---KLPRSS_Val = (STRING_T)"iexplore.exe from a secondary server" | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe" +---KLPRSS_ValConcatArray = (BOOL_T)true
And the profile has following contents
+--- (PARAMS_T) +---KLPRSS_Mnd = (BOOL_T)true +---KLPRSS_Val (ARRAY_T) | +---0 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe" | +---1 (PARAMS_T) | +---KLPRSS_Mnd = (BOOL_T)true | +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server" | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe" +---KLPRSS_ValConcatArray = (BOOL_T)true
That is:
Then, if the profile is active at the target host the effective policy will have a section with the following contents:
+--- (PARAMS_T) +---KLPRSS_Mnd = (BOOL_T)true +---KLPRSS_Val (ARRAY_T) | +---0 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe" | | +---KLPRSS_ValLck = (BOOL_T)true | | +---KLPRSS_ValLckGroup = (STRING_T)"" | | +---KLPRSS_ValLckGrpId = (INT_T)-1 | | +---KLPRSS_ValLckPolId = (INT_T)-1 | | +---KLPRSS_ValLckPolicy = (STRING_T)"" | +---1 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe" | | +---KLPRSS_ValLck = (BOOL_T)true | | +---KLPRSS_ValLckGroup = (STRING_T)"" | | +---KLPRSS_ValLckGrpId = (INT_T)-1 | | +---KLPRSS_ValLckPolId = (INT_T)-1 | | +---KLPRSS_ValLckPolicy = (STRING_T)"" | +---2 (PARAMS_T) | | +---KLPRSS_Mnd = (BOOL_T)true | | +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server" | | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe" | +---3 (PARAMS_T) | +---KLPRSS_Mnd = (BOOL_T)true | +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server" | +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe" +---KLPRSS_ValConcatArray = (BOOL_T)true +---KLPRSS_ValLck = (BOOL_T)true
That is: